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Abstract 



Recent work of Pickett has given a construction of self-dual normal bases for ex- 
tensions of finite fields, whenever they exist. In this article we present these results 
in an explicit and constructive manner and apply them, through computer search, 
to identify the lowest complexity of self-dual normal bases for extensions of low de- 
gree. Comparisons to similar searches amongst normal bases show that the lowest 
^N I complexity is often achieved from a self-dual normal basis. 
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Introduction 



Let g be a power of a prime, n an integer, and let Fg be the field of q elements. 
The Galois group G of the extension F^n/Fg is a cyclic group, generated by 
the Frobenius automorphism : x H- x"^. 

A basis for Fgn /Fg consisting of the orbit of a single element a under the action 
of the Frobenius is known as a normal basis. In such a basis, exponentiation 
by g is a cyclic shift of coordinates, hence is straightforward as well as trace 
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computation. The difficulty of multiplying two elements written as linear com- 
binations of the conjugates of a is measured by the so-called complexity of a, 
defined as the number of non zero entries in the multiplication-by-a matrix 
[THt §4.1]. It has been shown in [IS] to be at least 2n — 1, in which case the 
basis is called optimal, but this occurs only for very special values of n [8]. 

The search for normal bases with low complexity has taken two complementary 
directions. On the theoretical side, several authors have attempted to build 
them either from roots of unity in larger extensions, using Gauss periods 
[T][8llH] or traces of optimal normal bases |5], again with some limitations on 
the degree; or from the extension itself, using division points of a torus [5|7] or 
of an elliptic curve [B] . In the latter case the authors show that fast arithmetic 
can be implemented using their bases, as was also shown to be the case for 
normal bases generated by Gauss periods in [9j. 

On the experimental side, exhaustive searches of all normal bases of a given 
extension have been carried out. Mullin, Onyszchuk, Vanstone and Wilson 
have given a first list of lowest complexities in degree less than 30 over F2 in 
[in]; this list was extended up to degree 33 by Geiselmann [TOl Table 5.1]. In 
odd characteristic, Blake, Gao and Mullin computed the lowest complexities 
of normal bases for a handful of small degree extensions [3]. Recently, Masuda, 
Moura, Panario and Thomson have reached degree 39 over F2 and given ap- 
pealing statistics and conjectures about the distribution of complexities [17]. 
These authors point out that the cost of the exhaustive enumeration of the 
elements of ¥2^ used to look for normal basis generators is a severe limitation 
to their method when the degree grows. On the other hand, their Table 4 
shows that the minimal complexity for normal bases is very often reached by 
so-called self-dual bases (in all degrees not divisible by 4 up to 35 apart from 
7, 10, 21). Restricting to self-dual normal bases enables one to push computa- 
tions further; Geiselmann was indeed able to compute the lowest complexity 
for self-dual normal bases over F2 up to degree 47 p^ loc. cit.]. Comparing 
his results and [T71 Table 5], we see that the best found complexity for nor- 
mal bases in degree over 40, obtained by theoretical constructions or random 
search, is also reached by a self-dual normal basis for odd degrees up to 47. 

A normal basis {a, a'^, . . . , a'^" ) for the extension F^n/Fg is said to be self- 
dual if Tr(a'^'a^^) = 6ij ioi < i,j < n — 1, where Tr is the trace map from 
¥qn to ¥q and 6 is the Kronecker delta; a self-dual basis is indeed equal to its 
dual basis (see [181 §1-2] for a definition), and its complexity is the number of 
non zero entries in the matrix: 



0<JJ<n-l 

Self-dual normal bases are useful for arithmetic and Fourier transform, and 
have applications in coding theory and cryptography. Contrary to normal 



bases, not all extensions of finite fields admit self-dual normal bases, but the 
existence conditions, recalled in Theorem [1] below, are mild. The theoretical 
techniques used to construct normal bases with low complexity sometimes 
yield self-dual normal bases, see e.g. [3 §5.4] or |3l §5], [HI Corollary 3.5], [51 
Theorem 5], [20] . 

In this paper we focus on the experimental side and give the lowest complexity 
of self-dual normal bases in various characteristics and degrees. At present, 
the only known strategy to reach this goal is to compute the complexity of 
all the self-dual normal bases of the extension (unless it admits an optimal 
self-dual normal basis, which is easily predictable using [T5| Theorem 2]). In 
order to do so, we first construct a self-dual normal basis for the extension, 
then act on it by the orthogonal circulant group, namely the group of change 
of self-dual normal basis matrices. This group has been extensively studied, 
with accurate descriptions being given in [l|llfl6] . Its size is in 0{q^/'^) (see 
Remark 12.51 below) . roughly the square root of the number of normal bases in 
view of [m Corollary 4.14]. It follows that exhaustive enumeration of self-dual 
normal bases is easier than that of normal bases. We shall restrict ourselves 
to extensions F^n/Fg which are either semi-simple (the degree n prime to the 
characteristic p) or ram,ified {n a power oip), the description of the orthogonal 
circulant group in the "mixed" case being a bit more elaborate. 

We now describe our work more precisely. First we recall the necessary and 
sufficient conditions for the existence of self-dual normal bases 



Theorem 1 (Lempel- Weinberger) The extension of finite fields F^n/F^ 
has a self-dual normal basis if and only if either the degree n is odd or n = 2 
modulo 4 o-nd q is even. 



The existence proof in [T3j is constructive in the sense that, given a normal 
basis for the extension, it describes a procedure to transform it into a self-dual 
normal basis. Wang proposed another transformation procedure in [24] when 
q = 2 and n is odd, involving solving a system of equations. Poll extended 
Wang's method to deal with the general characteristic 2 case in [22] . Recently, 
Pickett designed in [2T| a construction that extends the former ones to the 
odd characteristic case, dealing separately with the semi-simple case and the 
ramified case. 

The construction of a normal basis for a given extension is well known and 
widely implemented. Therefore, the methods described above enable one to 
construct a self-dual normal basis under the existence conditions of Theorem 
[TJ To our knowledge, this has not been implemented before, except in the 
restrictive case in which Wang's method applies. In this paper we apply Pick- 
ett's construction to compute a self-dual normal basis of a given extension 
whenever it exists. Note that for this first goal the method in [T3| is simpler 



and faster, but most of the computations involved in Pickett's construction 
must be implemented if one wants to compute the action of the orthogonal 
circulant group as well. 



The criterion used in [21] to determine which changes of basis are appropriate 
has been generalised to any characteristic and degree, see fiU[ Lemma 5.5.3], 
where it is expressed in terms of circulant matrices. Here we restate it in 
terms of the group algebra Fg[G'] as in [21J. Conjugation u \-^ u in ¥g[G] 
is the Fq-algebra automorphism obtained from g \-^ g~^ for all (7 G G; if 
u = Efc=o '"fc^'' ^ ^q[G] and a G F^n, we put uoa = J^k=o Uk(t)^{a) G Fgn. 

Theorem 2 Assume that a is a generator of a normal basis of F^n over Fg 
and let 

R=Y.Ti(ag{a))g G FJG] . 

g&G 

Any V G Fq[G'] such that vv = R is invertible, and the map v ^-)■ v~^ o a is a 
one-to-one correspondence between the set of solutions of the equation vv = R 
in ¥q and the set of elements ofFgn that generate a self-dual normal basis. 

In Section [1] we first explain how this result can be deduced from the statement 
on circulant matrices [TOl loc. cit.]. Our main interest is in implementing Pick- 
ett's method as an algorithm, and since the language he uses to describe his 
construction of a solution of the equation vv = Rin [2T1 §3] is quite elaborate 
— his framework is wider than ours — we reformulate it in terms of the poly- 
nomial ring Fg[X]/(X" — 1); the resulting algorithm to compute a self-dual 
normal basis is described in the last section. We remark that this construction 
gives an alternative proof of the sufficiency of the conditions of Theorem [H 
for interest we give a proof of their necessity, mainly based on Theorem [2], and 
simpler than the original (see jTOl Propositions 4.3.4 and 5.2.2]). 

Section [2] deals with the orthogonal circulant group 0{n,q). Its elements are 
the n X n matrices P over Fg that are circulant {Pi+k mod n,j+k mod n = Pi,j for 
< i, J, A; < n— 1) and orthogonal [P^-P = J, where P* is the transpose matrix 
of P and I the identity nx n matrix). It follows from Theorem [2] that 0{n, q) 
is isomorphic to the subgroup of Fq[G]^ consisting of the solutions of the 
equation vv = 1. In both the semi-simple and the ramified case we indicate how 
this equation can be solved; the resulting algorithms are described in the last 
section. Doing so we recover the number of self-dual normal bases, as derived 
in [TT|[T2] from Mac Williams' results about the orthogonal circulant group [16] 
(see [ini 5.3] for a summary). In the ramified (and odd characteristic) case our 
construction is a variation, adjusted to our situation, of Mac Williams' iterative 
construction; we also present a new explicit formula for the solutions. 

In Section [3] we present our algorithms, experimental results and conclusions. 
For semi-simple extensions in odd characteristic, the lowest complexity we find 



is close to that obtained for normal bases from exhaustive computer search 
[3] or from theoretical constructions [T5] , as this was already the case in even 
characteristic. We also observe an interesting behaviour under base field ex- 
tension. When the extension is of degree p in odd characteristic p we recover 
the basis with very low complexity 3p — 2 described in [3] . 



1 Construction of a self-dual normal basis 



Our algorithm to find a self-dual normal basis relies on the interpretation 
in terms of polynomial rings of Pickett's construction of a solution v of the 
equation vv = R oi Theorem [2] (under the necessary conditions of Theorem 
[1]). The majority of this section is devoted to presenting this interpretation. 
First, however, we deduce Theorem [2] from statements in terms of circulant 
matrices. At the end of the section we show how to deduce the necessity of 
the conditions of Theorem [T] from Theorem [21 



1 . 1 Proof of Theorem [^ 



Consider the one-to-one correspondence between Fq[G'] and circulant n x n 
matrices over Fg, given by 



n-l 

V = 



J2 Pj<P' e ¥,[G] ^ a = {Pj-i mod n) . (1) 

j=o -'■'- 

One has Ci = I and, for any v,w & ^q[G], C^ ■ Cw = C^w, so ([T]) yields a group 
isomorphism between Fg[G] ^ and the abelian group of invertible circulant nxn 
matrices over Fg. Note that the matrix Cji = ( Tr(a'''"'"''^)j is invertible since 
a generates a normal basis, see [181 Corollary 1.3], so R E ¥q[G]^ and vv = R 
implies v invertible as well. 

Moreover one has Gjj = {C^Y, where {C^Y is the transpose matrix of C„. It 
follows that the equation vv = Ris equivalent to 

C..(C.)' = (ll.(a«-+«^)) (2) 



For X G Fgn, let [x] denote the nxn matrix whose j-th column, < j < n — 1, 
consists of the coordinates of x''^ in a fixed F^-basis of F^n. Then one has, for 

any v G ¥g[G], x G F^n: 

[i; o x] = [x] ■ Cy . 



Let P be some invertible nx n matrix over F^, then the columns oi B = [a]P 
are the coordinates in the fixed F^-basis of F^n of a normal basis if and only 
if P is a circulant matrix, see jTHl Lemma 3.1.3]. Further, for such a P, its 
inverse P~^ is also circulant and from (TUl Lemma 5.5.3] we know that the 
columns of B form a self-dual normal basis if and only if 

p-i.(p-i)*= (Tr (««'+''')) . (3) 



livv = R, then Cj, is circulant invertible and {Cy)~^ = C^-i satisfies ([3]), hence 
B = [a]C^-i = [v~^ o a] is a self-dual normal basis; if (3 generates a self-dual 
normal basis, let P be such that [/3] = [a]P, it is circulant and so is its inverse, 
and by ([2]) the element v G Fq[G] such that P~^ = Cy satisfies vv = R. These 
two maps are clearly mutual inverses, which completes the proof. 



1.2 Interpretation of Pickett's construction in terms of polynomial rings 



The Galois group G of F^n over Wg is cyclic of order n and generated by the 
Frobenius 0, so we may identify the F^-algebras ^q[G] and Fq[X]/(X" — 1) 
through the isomorphism mapping to X. 

Write n = p^ni, where p is the characteristic of ¥q and ni is prime to p. We 
take advantage of the following result [101 Theorems 3.3.13 and 5.1.9] to split 
the extension into two parts. 

Lemma 1.1 Let m,n be two co-prime integers. Suppose a (resp. (3) is a gen- 
erator of a self-dual normal basis of F^m (resp. ¥qn) over ¥g, then a(3 is a 
generator of a self-dual normal basis of the compositum F^mn over ¥q. More- 
over, the complexity of aP is the product of the complexities of a and of p. 

By the former result, we may deal separately with the two cases n = p^ which 
we call the ramified case, and n co-prime to p, the so-called semi-simple case. 
We show how to construct a solution v of the equation vv = R oi Theorem [2] 
in each of these two cases, under the existence conditions of a self-dual normal 
basis of Theorem [1] Multiplying the bases obtained this way then yields self- 
dual normal bases for the extensions with "mixed degree" n = n\p^ with 
Til > 2 and e > 1. 



1.2.1 The ramified case (n = p^) 

In this case, the algebra Fq[G] is isomorphic to Fg[X]/(X — 1)". Let e : Fg[G] — )■ 
Fg be the augmentation map given by e(X]fc=d o.k^^) = Y.2=o ^fc- This is a 
homomorphism of F^-algebras whose kernel is a codimension 1 subspace of 



¥g[G]. Further e(Efc=o Ofc^'^) = implies Efc=o afc'/>' = Efc=dafc(</>' - 1), and 
therefore the kernel is {(f)—l)¥g[G]. Invertible elements in Fg[G] are those which 
have non-zero image under the map e (because invertible modulo {X — 1)^ 
means invertible modulo X — 1), hence the group Fg[G]^ has order g"~^(g — 1). 
In fact, it is the direct product of F^ by f/ = 1 + (0 — l)Fg[G'], the inverse 
image of 1 under the map e. 

Under the necessary conditions of Theorem [H we have two cases to consider. 

Proposition 1.2 Recall that p is the characteristic of ¥g. If p = n = 2, 
/3 G Fg2 generates a self-dual normal basis if and only ifTi{l3) = 1. If p is odd 
and n = p^ , there exists u G ¥g[G] such that uJ^ = R; further one then has 

CO = uJ. 

Proof. The even characteristic case is straightforward. We proceed with the 
odd characteristic case. Recall that R G Fg[G]^ and note that R = R. One 
can easily see that e{R) = Tr(a)^ (detailed in the proof of Lemma [L6] below) . 
so that the decomposition of R in the above direct product is i? = Tr(a)^ ■ 
(1 + ((/) — 1)-R') for some R' G Fq[G]. The second factor is also a square as 
it belongs to the group U which is of odd order, hence R = u'^ for some u. 
Further R = R implies uj"^ = u"^, so that uJ/u is a square root of 1 living in the 
group U of odd order. Thus uJ = u. ■ 



1.2.2 The semi-simple case (gcd{n,q) = 1) 

We assume that n is odd to fit with the conditions of Theorem [1] (but q 
could be odd or even). The polynomial X" — 1 is square free and has monic 
irreducible factors over Fg : 

X--l = f[f,{X)f[g,{X)-g*{X) (4) 

i=i j=i 

where g* denotes the reciprocal polynomial (up to a constant) of gj and where 
the fi are the self-reciprocal (also up to a constant) irreducible factors. We 
will now express the equation R = vv in this decomposition, solve it, and then 
lift back the solution to Fg[G']. 

Let m be the order of q modulo n. The field F^m contains a primitive n-th 
root C of 1. On the set {0, . . . ,n — 1} we define the cyclotomic equivalence 
relation: s ~ s' if there exists k such that s = q^s' mod n. Note that forms 
a class on its own and that the integers prime to n belong to classes with the 
same cardinal equal to the order of q modulo n. Namely, since n and q are 
co-prime, the cyclotomic equivalence relation restricts to {'L/n'L)'^ and for s, s' 



invertible modulo n, s ^ s' if and only if s and s' belong to the same coset in 

iZ/nZr/{q). 

The following proposition justifies the terminology. 

Proposition 1.3 (a) If C^ is a root of an irreducible factor of X" — 1, then 
the other roots are the C^ where s' ~ s. 

(b) The (^ such that s ~ (n — s) are roots of a self- reciprocal factor fi. The C'^ 
such that s ^ n — s are roots of a non self-reciprocal factor Qj. 

(c) The number of cyclotomic classes is equal to the number a + 2r of irre- 
ducible factors of X"- — 1. 

(d) The self -reciprocal factors fi have even degree, except /i = X — 1. 

Proof, (a), (b), (c) are clear. Let us prove (d). If (^ is a root of an fi, then ("'~^ 
is also a root. If we exclude the case s = corresponding to the factor X — 1, 
the two roots (^ and (^""■^ are distinct, because n is odd. Hence fi has en even 
number of roots in an algebraic closure. ■ 



From the Chinese Remainder Theorem, the algebra Fg[X]/(X"' — 1) is isomor- 
phic to a product of a + 2r fields: 

FJX]/(X"-1) ^ nFjX]/(/,(X))xn (¥,[X]/{g,{X))x¥,[X]/{g;iX) 
i=i j=i ^ 

(5) 
Each factor in the RHS of this equation is a an extension of Wq contained 
in Fqm (recall m is the order of q modulo n). The evaluation map u{X) G 
¥q[X]/{f) t-^ u{C) e ¥q{0, where / is an fi or a gj and s G {0, . . . ra - 1} 
such that /(C^) = 0, is a field isomorphism. We obtain the following result: 

Proposition 1.4 Let S be a set of representatives of cyclotomic classes. The 
map 

'Wq[X]/{X--l)-^Uses¥,{C) ^^^ 

is an ¥q-algebra isomorphism. 

For practical reasons (mainly to deal with square matrices), we also consider 
the map J-" (a Fourier Transform) 

^ F,|X1/(X" - 1) ^ (F,,„)" 

«.(X) ^ (.<(C'))„,.,„_, 

which is a homomorphism of F^-algebras, with matrix F{() = {C-')o<i,j<n-i- 
Compared with isomorphism (jH]), we now compute a component at every < 



s < n — 1; the components corresponding to indices in the same coset under 
~ are cychcally permuted when applying the Frobenius 0. 

We note the following easy but useful relation involving the matrices F[() and 
F{C') = (C-^')o<,,<n-i: 

Lemma 1.5 F(C"^)F(C) = nl . 

As a consequence, the following linear map J^, with matrix F((~^), can be 
used to compute the inverse of J-". 

j,,^ {¥,..)- -^¥,^[X]/{X--1) ^^^ 

(ro, . . . , r„_i) I — > Et=o UtX^ where Ut = J27=o ^iC^' ■ 

This is because J-'f J-'(m) j = nu for each u E F^[X]/(X" — 1). 

The idea here is to express R as an element of the RHS of ([6]), to solve the 
equation in each component, and to bring back the solution to ¥g[X]/{X^ — l). 
The conjugation map, induced by X i— )■ X^~^ in ¥g[X]/{X^ — 1) is given by 
( I—)- (~^ and will sometimes be denoted by J in the RHS of iQ. 

Let K be as in Theorem [2l The s-coordinate of J^{R) is Rs = J2 Tr(«^+''')(^''\ 

We begin with the cyclotomic class s = 0. Here, Fg(C'') = F^ and the conju- 
gation map J acts trivially. Note that Rq = e{R). 

Lemma 1.6 (3.5 in [21] ) With vq = Tr(a), we have voVq = Rq. 
Proof. We have j(Tr(a)) = Tr(a) and 

^ n—l \ 2 n—1 n—1 n— 1 

Tr(a)2 = ( E «' j = E "''^'' = E "''^'""''^ = E Tr(a^+'^') = Ro- 

^ j=0 '^ i,j=0 i,k=0 k=0 



We now consider the cyclotomic classes s such that s rf n — s. 

Lemma 1.7 (3.6 in |21| ) Lets' G 5* such that s' ~ n — s. We have Rg = Rg' ■ 
Putting Vs,s' = [Rs, 1) e ¥g{0 x ¥q{C'), we have Vs,s'Vl^ = {Rs, Rs')- 

Proof. The conjugation map J exchanges coordinates in Fg((^'^) x ¥g{('^ ): 
J(m, u*) = {u*, u). As R is invariant by conjugation, we have Rs = Rg'- There- 
fore Vs,s'J{Vs,s') = {RsA){^,Rs) = {Rs,Rs')- ■ 



We finally deal with the cyclotomic classes s such that s 7^ and s ^^ n — s. 

Lemma 1.8 (3.7 in |21] ) Let s G S* such that 7^ s and s ~ n — s. Then the 
field Fq(C*) is stable under the conjugation map J, and we denote by Fg(C*)"^ 
the fixed subfield. Further Rg (resp. —Rg) has a square root u (resp. u' ) in 
Fg(C'*)- We consider three cases: 

(a) the case where u G Wq^C^'^Y , then Vg = u satisfies VgVl = Rs', 

(b) the case where u' ^ Fg((^'^)'^, then Vg = u' satisfies VgV2 = Rg; 

(c) the case where u ^ Fq((^'')'^ and u' G ¥q{C'^Y , then there exists an integer 
n such that —n is a non-zero square rf modulo the characteristic p of¥g, 
but — (n — 1) is not a square modulo p, and there exists an integer v such 
that z/^ = n — 1 modulo p. We put Vg = {uu + u')/rj, then VgV^ = Rg. 



Proof. From Proposition ll.3[ the field Fg(C*) is some extension F^r over F^ 
with r even. We have (^ = C^^ 7^ C^ because n is odd. Hence J restricted 
to Fg((^'') is an order 2 field automorphism, which by Galois theory defines 
a unique index 2 subextension ¥g{(^)'^ = Fgr/2. Note that, each element 
of ¥q{Cy is a square in ¥q{C) (because (g^ - l)/(g''/2 - 1) = g^/^ + i jg 
even). Both Rg and —Rg are invariant under J, hence they are both squares 
in F,(C^). 

If U = M, namely in case (a), then uu = u^ = Rg] if u' 7^ u', namely in case 
(b), then u' = —u' and u'u' = — m'^ = Rg. 

Suppose now (case c) that u = —u and u' = u'. As —1 = —Rg/Rg, we know 
that —1 is not a square in Fq(C*)'^, nor in ¥p. Hence the first n > 1 such that 
—n is a square modulo p exists and satisfies the required conditions. Also, 
because neither —1 nor — (n — 1) are squares modulo p, there exists an integer 
u such that u"^ = (n — 1) modulo p. Taking the residues of rj and u modulo 
p, we have rj = rj and V = u because ¥p C ¥q{C^y . With Vg = {vu + u') /r], 
we have ¥2 = {—uu + u')/ri and it follows that VgV^ = (— z/^-u^ + m'^)/?7^ = 
i-in-l)Rg-Rg)/i-n)=Rg. m 



We have solved the equation VgV^ = Rg for every cyclotomic class s, thus by 
the Fg-algebra isomorphism (|6]) we get a solution v G ¥q[G] of the equation 
vv = R. 



1.3 The necessity of the conditions of Theorem\J\ 



If a; is a generator of a self-dual normal basis of F^nm over ¥q, then Trp „^/^ „ (a) 
is a generator of a self-dual normal basis of ¥qn over F^, see [2T| Lemma 4.3]. 
Therefore, to prove the necessity of the conditions in Theorem [T] we need just 



10 



consider the cases ¥q2/¥q for q odd and Wgi/Wq for q even. 

When q is odd, Ti{aa'^) = 2N{a) for any a G Fg2, where N{a) denotes the 
norm of a in the extension, hence Tr(aa'') = would imply a = 0. 

Let q be even, and assume for contradiction that there exists a normal basis 
generator a of Wgi/Fg and an element v G Fg[G] such that vv = Tr(Q;^) + 
Tr(aa«)0 + Tr(aa«')02 + Tr(aa^')0l Note that Tr(aa5') = Ti^aa'^) and 
Tr(aa«') = 2TriF^2/F, (^f^4/f^2(«)) = 0. Writing v = a + b(j) + c(f)^ + d(j)^ 
with a, b,c,d E ¥q and letting (3 = a + a'^ , we easily get the equations: 

a + b + c + d = Tr(a) = /3 + /?'' , (a + c)(6 + rf) = Tr(aa'?) = /3/3'? . 

It follows that {/3, /3^} = {a + c, 6 + d}, namely /3 G F„, which is impossible 

2 3 

since it would imply a + a"^ = a' + a' , contradicting the fact that a generates 
a normal basis. The result now follows using Theorem [2l 



2 Change of self-dual normal basis 



The next result, which is essentially a different formulation of the "key" lem- 
mas 2 and 3 of [12], is an immediate consequence of Theorem [2] and the 
observations that if a generates a self-dual normal basis, then R = 1, and 
that if vv = 1, then v~^ = v. 

Corollary 2.1 Let a generate a self-dual normal basis ofWqn over ¥q. The 
map V i-T- voa is an isomorphism between the group of solutions of the equation 
vv = 1 in ¥q[G] and the group of elements ofWqn that generate a self-dual 
normal basis. 

It follows that computing all self-dual normal bases from one is equivalent to 
finding all the solutions v G Fg[G]^ of the equation vv = 1. We devote the 
rest of this section to explain how this equation can be solved, first in the 
semi-simple case and then in the ramified case. 



2.1 The semi-simple case 



The decomposition ([6]) from Section [T] is useful to find the solutions of this 
equation. Let V{X) G FJX]/(X" - 1). 

Proposition 2.2 The polynomial V {X) satisfies the equation V{X)V{X'^^^) = 



11 



1 modulo X" — 1 if and only if the following conditions hold: 

V{1) = ±1 (case s = 0), 

V{C)V{C-^) = 1 fors^n-s, 

y^'^s^f/'' +1 = 1 for ^ s r^ n — s, where r is such that ¥g{(^) = F^r. 

Note that r is the degree of the irreducible factor fi of X" — 1 such that 

fiiC) = 0. 

Proof. The component at s = is V^(l) and the equation we need to solve 
in Fg(^°) = ¥g is simply V{iy = 1 because the action of conjugation in F^ is 
trivial. 

For s 7^ n — s, we have to consider the product Fq(C'') x Fq(C~'^). We have 
seen in the proof of Lemma [1.71 that conjugation swaps coordinates in these 
two factors. The solutions are the powers of {gs,g^^) were gg is any primitive 
element of the Fg(C'*). 

For 07^s~n — s, we have seen in the proof of Lemma 11.81 that the set of 
invariants under conjugation J is the subfield Fgr/2 of F^r = Fg(^''). Conju- 
gation J is an Fgr/2-automorphism of ¥gr of order 2, hence J{x) = x''' for 
X G Fgr. The equation we want to solve can be written x'"^ '^^ = 1. Note that 
q,r/2 _|_ -^ ciivides g'' — 1 so we find exactly g^'/^ + 1 solutions, generated by any 
element of order g^'/^ + 1 in Fq((^''). ■ 



We remark that this proof provides generators for the group of solutions of 
vv = 1, so we can easily derive the cardinality of this group, which by Corol- 
lary 12.11 is also the number of self-dual normal bases of ¥gn over F^. As ex- 
pected, this calculation agrees with the result in [12] which was obtained using 
the formulas given in [16] — note that the cyclic shift of a basis is considered 
to be the same basis in [12], but not here, so our formula differs from the one 
found there by a factor n. 

Theorem 2.3 Consider the decomposition Q) o/X" — 1 overFg. The number 
of self- dual normal bases ofWgn overWg is given by 

..-^ -.-.-. , a = for even a and a = 1 for odd g, 

j=2 j=i I 2ci = deg/j and dj = deg gj. 



Proof. The case s = has solutions ±1 in odd characteristic, and only 1 for 
even g. For the case 7^ s ~ n — s, we found a generator of order g'^ -|- 1 for the 
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set of solutions in the field Fg(C). For the case s 7^ n — s, let (7 be a primitive 
element in ¥g[X]/{f) ~ IFg(C), the solutions are the powers of {g,g~^)- ■ 



2.2 The ramified case 



We deal only with the odd characteristic case, so we let p be an odd prime 
number, and q and n be powers of p. 

Theorem 2.4 There are 2g^~ solutions v G ¥q[G] to the equation vv = 1. 

This result can easily been derived from [TTl Theorem 2], which states that if 
n = sp, where s is any integer, then \0{sp, q)\ = q^P~^^^^'^\0{s, q)\. The original 
statement is due to MacWilliams in the prime base field case |T6l Theorem 
2.6]. We now reinterpret MacWilliams' constructive proof in our specific case: 
n a power of p, so as to explain the structure of the algorithm we used to 
compute the orthogonal circulant group in the ramified case. 

Proof. First note that the solutions of the equation vv = l all lie in Fq[G']^, 
and recall from Subsection 11.2.11 that Fq[G']^ is the direct product F^ x (1 + 
(0— l)Fg[G]), the first component being simply the image by the augmentation 
map e. For v G F,[G']'', let w e {(f) - l)Fg[G] be such that v = e{v){l + w), 
then vv = lii and only if e(f) = ±1 and w + w + ww = 0. Setting r = w + ^, 
the second condition becomes r = — r, namely 



n-l 
2 



^r,(0*-0"-) (9) 



=1 



n — 1 

for some rj G Fg, hence r can take q^~ values in Fg[G']. We now show that w 
is uniquely defined by r, and how it can be computed, see ^16i Appendix A]. 
One has w = -r + ^, hence w = r + ^ and ww = -r^ + ^^, so that: 



r^ (wwY 



w 



Replacing iteratively ww by — r^ + ^'^^' in the above formula increases the 
(even) power to which ww appears; this process terminates since, as an element 

of (0 - 1)FJG], w = (0 - l)y for some y G FJG], so w" = (0" - l)y" = 0. ■ 



Remark 2.5 In the odd characteristic case, the formula in Theorem \2. 3\ reads: 
2 IliQ"' + 1) ri(/^ - 1) ~ 2g^»'^+^^''^ = 2g("-i)/2 . 

i=2 j=l 
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In both semi-simple and ramified cases, the size of the trace-orthogonal group 
is close to 2\/g"~i, which means that an exhaustive search quickly becomes 
lengthy when q or n increases. 

We now show that one can also get an exphcit formula for the solutions of the 
equation. 



Theorem 2.6 The solutions v G Fg[G] to the equation vv = l are exactly the 
sums V = J2i=o '^ii'P ~ 1)* ''^'^ih vq = ±] 
element of ¥g and V2i G F^ is such that: 



sums V = J2i=o '^ii'P ~ 1)* ''^'^ih vq = ±1 and, for I < i < ^^, V2i-i is any 



j:ti-^r(l_%-^-^=o- (10) 

j=l fc=0 \ J / 



Note that fllUp gives a formula for V2i in terms of the Vk with < k < 2i — 1, 
for instance — 2i;oW2 = — 't'l+'yo'?^! and — 2t>of4 = fo'y2 — ^1^2 — Sfifa + fl + Swo'^s- 
Our proof begins as a specialisation to the case s = 1 of that of [2] Satz 3.3] — 
note that [llj points out a mistake in the end of the proof of this statement; 
dealing with this simpler case enables us to deduce a constructive formula. 

Proof. We wish to solve the equation f U = 1 in Fg[G]. We shall proceed by 
successive approximation, solving vv = 1 modulo {X — 1)* for 1 < i < n, 
where we identify again v and its image under the isomorphism 

FJG] = FJX]/(X - 1)- 

mapping to X. The first step is obvious: Fg[X]/(X — 1) = Fg is involution 
invariant, hence the equation reads v'^ = 1 modulo {X — 1), namely v = ±1 
modulo (X — 1). The family ((X — 1)M is a basis of the Fg- vector space 

n-l ~ ~ 

Fq[X], hence we write v = I] ffc(X — 1) , with vq = ±1 and Vk G Fg. We 

fc=0 

compute the conjugates (X — 1)* = (X — 1)* of our basis elements. 
Lemma 2.7 For < i < n—1, (X — 1)* divides (X — 1)* and, more precisely: 



{x-iy = {-iy Y. { (x-i)'=+* = (-i)*(x-i)' mod(x-i) 

fc=0 \ ^ / 



Proof. Let < i < n ~ 1, then 

(X - 1)* = (x"~i - 1)* = ((1 - x)x"-i)' = (-i)^(x - lyx""-' , 

hence the equality, using Newton's formula for X"^* = (X — 1 + 1)"~*. 
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This result implies an important property for our approximation procedure. 
Lemma 2.8 Let I < i < ^^, then 

(w = l mod (X- 1)^*"^) ^ (w = 1 mod(X-l)' 



Proof. Suppose the left hand side assertion is satisfied and write 

vv = l + u{X-lf'~^ mod (X- 1)2^ 

for some u G Fg. Applying the involution shows that (X — 1)^* divides vv 
1 — m(X — l)^*"-*^, therefore 

vv = l+ u(X - 1)2*-^ mod (X - 1)2^ , 

thanks to Lemma [2?71 We get: 

= u[{X- 1)2^-^ - (X - l)2*-i) = 2u{X - 1)2^-1 mod (X - l^' , 

hence u = 0. m 



In particular we get that, if Vq = ±1, then vv = l mod (X — 1)^ for any value 
of Vi € Fq. We now need a formula for the coefficients of v of even positive 
index. 

Lemma 2.9 Suppose vv = 1 mod (X — 1)^* for some integer 1 < i < ^^, 
then vv = l mod (X — l)2«+i if and only if V2i satisfies ([7] 



Proof. Without any hypothesis on vv, one checks using Lemma [221 that: 

-V = E (± ti-^r(''z%,v,^ (X - 1)^ . 

j=0 \j=0 fc=0 \'' J / j 

With our assumption on vv, we get: 

vv^\^Y.ll^-Ml~%^^,~^ mod(X-lf+i , 
hence the result, noticing that \Z\ =0 whereas (q) = f"^^*) = 1- ■ 

This ends the proof of Theorem 12. 6[ ■ 
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3 Experiments 

3.1 Algorithms 



Using MAGMA, we liave implemented two algoritlims based on the results of 
this paper: the first finds a self-dual normal basis for a given extension F^n/Fg 
satisfying the existence conditions of Theorem [1] and such that the degree n 
is either prime to the characteristic or a power of it; the second computes the 
orthogonal circulant group and uses it to construct all self-dual normal bases 
of the extension from the former one, then selects those which have the lowest 
complexity. Both these algorithms have a semi-simple and a ramified version. 



3.1.1 Computation of a self-dual norm,al basis 

Our first algorithm permits us to find a self-dual normal basis for somewhat 
large extensions. For example, one can find a self-dual normal basis (of com- 
plexity 44431) for q = 1009 and n = 211. Here is the structure of this algo- 
rithm in the semi-simple case gcd(n, g) = 1: 

Step 1. Compute the g-cyclotomic classes of the set {0, . . . , n — 1}. 

Step 2. Let m be the size of the largest class (the class which contains 1) and 

choose ( of order n in Fgm . 
Step 3. Build the matrices F(C) = (C^^)i<i<i and F(C"^). 
Step 4. Find a normal element a in F^n. (This was already implemented in 

MAGMA, and uses methods which can be found in the book 118]). 
Step 5. Compute R G F^fG] defined in Theorem [21 Using the matrix F{C)., 

map Rto R' = J^(i?) G (F,™)". 
Step 6. Use Lemmas 11.61 11.71 and 11.81 to find a solution t>' G Im J^ C (F™)*^ 

of v'v' = R' . Bring back v' to Fg[G'] using matrix F[C^^) to obtain v 

such that vv = R. Compute w = v^^. 
Step 7. Compute and output j = w o a. 

In the odd characteristic, ramified case, we pick a normal element a in F^n 
and compute R G Fg[G]; by Proposition 11.21 solving the equation vv = R 
reduces to computing a square root of R in Fg[G] ~ Fq[X]/(X — 1)", which 
can be achieved by computing a square root of R modulo X — 1 and then 
using Hensel lifting. 



3.1.2 Computation of all self-dual normal bases o/F" overFg 

The second algorithm can be used whenever the orthogonal circulant group is 
not too large for an exhaustive enumeration, see Remark 12.51 and the tables in 
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the next subsection. Here is its structure in the semi-simple case gcd(n, q) = 1: 



Step 8. Use Proposition 12.21 to find generators (and their orders) of the group 
U of solutions of uu = 1 in ¥g[G] (this is actually done in the right 
hand side with elements of generators of F^'' where rrik is the size of 
the cyclotomic class). 

Step 9. For each u in U (elements of U are enumerated using the generators 
found above), compute: the generator 7 = (uw) o a of a self-dual 
normal basis, the multiplication-by-7 matrix ( Tr(7^~^^''*'''^) j , and 

the complexity of 7. Update statistics accordingly (the best complexity 
found up to now, the list of best self-dual normal bases). 
Step 10. Finally, output the statistics (mainly the best complexity, and the 
number of times this complexity was achieved). 



In the ramified case, we list all the elements of r G ^q[G] satisfying Qj, 
compute the associated w as the proof of Theorem 12.41 {i.e. iteratively); the 
group of solutions oi vv = 1 consists of the elements 1 + w obtained this way 
together with their opposites —1 — w. We have each of these elements act on 
the self-dual normal basis constructed above and determine the complexity of 
the resulting self-dual normal basis. 



3.2 Tables 



The following tables show the complexity of the best self-dual normal basis, 
obtained with the above algorithms, for some extensions. We give separate 
tables for extensions in characteristic 2 and for extensions of small prime 
fields of odd characteristic. Blank entries have not been computed since the 
cost of exhaustive enumeration grows rapidly. 



3.2.1 Even characteristic 

The lowest complexity for self-dual normal bases of extensions over F2 is given 
in [ini Table 5.1] for odd degree up to 47. With our method we were able 
to verify these values up to ra = 45 (the computation for degree 45 took 
approximately 25 hours on a 64-bits Xeon quad core running at 2.33 GHz). 
We include our table for completeness. 



n 


3 


5 


7 


9 


11 


13 


15 


17 


19 


21 


23 


min 


5 


9 


21 


17 


21 


45 


45 


81 


117 


105 


45 


n 


25 


27 


29 


31 


33 


35 


37 


39 


41 


43 


45 


min 


93 


141 


57 


237 


65 


69 


141 


77 


81 


165 


153 
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Note that [TTf Table 4] gives a ininiinal complexity of 171 for normal bases in 
degree 37, where we find a self-dual normal basis of complexity 141, agreeing 
with Geiselmann [HP, loc. cit.]. Since only one digit differs between these two 
results, we suspect that there may be a typo in [T71 loc. cit.]. 



Using Lemma ll.H one gets an upper bound for the best self-dual normal 
complexities in even degree up to n = 90, using the fact that any element of 
F4/F2 of trace 1 generates an optimal self-dual normal basis (of complexity 
3). Comparing to the results in [TTl Table 4] for n up to 34, we see that this 
construction yields the best possible complexity in degrees 10, 22 and 34, and 
a reasonably good one in degrees 6, 14, 18, 26 and 30. 



We get optimal self-dual normal bases in degrees n = 3, 5, 9, 11, 23, 29, 33, 
35, 39 and 41. We know by [T^ Corollary 3.6] that 2n+ 1 has to be prime and 
2 of order n or 2n modulo 2n + 1 for this to happen, therefore we do not get 
optimal self-dual bases in degrees 15 and 21, since 2 is of order 5 modulo 31 
and of order 14 modulo 43. 



We give also a table for other small even q = 2''. Note that a"^' ioi < i < n — 1 
generates the same normal basis as a, so the number of times the lowest 
complexity is obtained is a multiple of n. When we found more than n bases 
with the lowest complexity, we indicate the multiplier between parentheses. 
For example, we found 27 bases with complexity 45 for q = 8 and n = 9. 



q\n 


3 


5 


7 


9 


11 


13 


15 


17 


19 


21 


23 


25 


2 


5 


9 


21 


17 


21 


45 


45 


81 


117(2) 


105 


45 


93 


4 


5 


9 


21 


17 


21 


45 


45 


81 


117(2) 


105 


45 


93 


8 


9(3) 


9 


21 


45(3) 


21 


45 


81(3) 


81 










16 


5 


9 


21 


17 


21 


45 














32 


5 


19(15) 


21 


17 


21 
















64 


9(21) 


9 


21 


45(3) 


















128 


5 


9 


37(98) 




















256 


5 


9 























When gcd(n, r) = 1 we always found the same best complexity for the exten- 
sion ¥2rn over F2r as for the extension ¥2" over F2. This observation is partially 
explained by the following fact, which is also valid for odd q (see [TH Lemma 
4.2] for a partial proof). 

Lemma 3.1 If a generates a self-dual normal basis of F^n over ¥g, and 
gcd(n, r) = 1, then a generates a self-dual normal basis of ¥qr,i over F^r, 
with the same complexity. 

One easily checks that if an extension F^n/Fg admits both a self-dual normal 



basis and an optimal normal basis of type I (see [8]), then q and n have to be 
even, say q = 2^ and n = 2m, with m odd and 2m + 1 prime. If this is the case, 
the extension is the compositum of the fields Fq2 and F^™, each of which may 
admit an optimal self-dual normal basis or not. Specifically, one can show that 
¥q2/Wg admits one if and only if r is odd, and that F^m/Fg admits one if 2 is of 
order m or 2m, modulo 2m + 1 and m is co-prime to r. If all these conditions 
are satisfied, the self-dual normal basis of ¥qn obtained by multiplying these 
two bases is, by Lemma II. ![ of complexity 3(2m — 1) = 3n — 3, which is 
also the complexity of the dual basis of the optimal normal basis of F^n, see 
[TUt Theorem 5.4.10] ([23] even shows that the dual of any basis which is 
equivalent to the optimal one has complexity 3n — 3). This holds for instance 
for the extensions of F2 of degrees 6, 10, 18, 22, 46, ..., those of Fg of degrees 
10, 22, 46, ... 



3.2.2 Odd characteristic 

Now we give the table showing some experiments for odd q. Here, the number 
of bases with least complexity is a multiple of 2n because ±a'^' for < i < n—1 
generates a normal basis with same complexity as the one generated by a. 
The multipliers we indicate between parentheses, when we found more than 
2n bases with lowest complexity, is relative to 2n. For example, we found 
A X 2n = 8n bases with complexity 51 for g = 13 and n = 9. 



q\n 


3 


5 


7 


9 


11 


13 


15 


17 


19 


21 


23 


25 


3 


7 


13 


25 


37 


55 


67 





91 


172 





127 


135 


5 


6 


13 


25 


46 


64(2) 


85 





157 


153 


150 






7 


6 


16 


19 


41 


61 


96 


87 













11 


6 


13 


25 


52 


31 


100 


78 












13 


6 


13 


25 


51(4) 


64 


37 














17 


8 


13 


25 


51(5) 


64 


100 















19 


8 


13 


31 


51 


67 








— 









Bold-face entries correspond to the best complexity in the case when the degree 
n is a power of the characteristic. In this case whenever n is prime, the best 
complexity is 3n — 2, and is obtained with the basis exhibited in |3l Theorem 
5.3]. This basis is rather explicit since generated by the root of a trinomial, 
yielding a very interesting family of self-dual normal bases, of complexity fairly 
close to the optimal one. 

We have made no computation for "mixed degree" n = riip^ with gcd{ni,p) = 
1, ni > 1 and e > 0, but one gets an upper bound for the lowest complexity in 
that case by multiplying the lowest complexity in degree ni by that in degree 
p^, thanks to Lemma 11.11 For instance, the best complexity for q = 5 and 
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n = 15 is at most 6 ■ 13 = 78. Note that when n = ii' for prime numbers 
i 7^ £', both different from p, the best complexity for the compositum is not 
necessarily the product of those for degrees i and i' extensions (n = 15, g = 7); 
however it can be so (n = 15, g = 11; n = 21, q = 5). 

In the semi-simple case, we also computed the best complexity for some odd 
non prime values q = p^, which do not appear in this table. When gcd(n, r) = 1 
we always found the same best complexity for the extension F^n over Fg as 
for the extension F^n over Fp, as well as the same multiplier for the number 
of bases with the best complexity (as in the even characteristic case). 

In odd characteristic, the only exhaustive search for lowest complexities among 
normal bases we are aware of is in [3], over prime base fields. The lowest 
complexity for self-dual normal bases is the same as the one they obtain for 
normal bases when n = 3 and g = 7 or 13; slightly larger when n = 3 and 
g = 19 (8 instead of 6) and when n = 5 and g = 11 (13 instead of 12). Note 
that in this last case, Liao and Feng give in [HI Example 2] a construction of 
a normal basis with minimal complexity 12, using Gauss periods, whose dual 
basis has complexity 13. Their construction remains valid when replacing the 
base field Fn by an extension of degree prime to 5. 



3. 3 Conclusion 



Our algorithms enable us to compute the minimal complexity for self-dual 
normal bases in various extensions of finite fields, including some for which 
the exhaustive enumeration of normal bases would not be reasonable. In odd 
characteristic, the lowest complexities we obtain are either the same as or 
close to that obtained in former computations on normal bases using theoret- 
ical constructions or exhaustive search, analogously to what could already be 
observed in even characteristic. However the cost of the exhaustive search of 
all self-dual normal bases (once one has been constructed) is still a limitation 
of this method. In order to make self-dual normal bases practical, it would 
thus be desirable to find a direct construction of those with low complexity. 

A striking fact when looking at the tables above is the repetition of values 
along columns, albeit with some exceptions. We have a partial explanation for 
this phenomenon, that may also help in achieving the former goal, in terms 
of global considerations of cyclotomic extensions of the rationals generated by 
ra^-th roots of unity, where ra is a prime. A known construction yields a global 
self-dual normal basis generator «„ such that, for any prime p ^ n which does 
not split in the considered extension, the residue modulo p of «„ is a candidate 
for a best complexity basis for Fpn/Fp. We hope to give full details about this 
construction in a future paper. 
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